NPM Publishing Checklist

Intermediate

Follow the complete checklist before publishing npm packages — proper package.json fields, files whitelist, prepublish checks, semantic versioning, and 2FA requirement.

File Patterns

**/package.json**/.npmrc**/.npmignore

This rule applies to files matching the patterns above.

Rule Content

rule-content.md

# NPM Publishing Checklist

## Rule
Every npm package MUST pass this checklist before publishing: proper metadata, files field or .npmignore, prepublish build step, semantic version bump, and 2FA enabled on the npm account.

## Required package.json Fields
```json
{
  "name": "@myorg/package-name",
  "version": "1.0.0",
  "description": "Clear, searchable description",
  "license": "MIT",
  "repository": {
    "type": "git",
    "url": "https://github.com/myorg/package-name.git"
  },
  "main": "./dist/index.cjs",
  "module": "./dist/index.js",
  "types": "./dist/index.d.ts",
  "exports": {
    ".": {
      "import": "./dist/index.js",
      "require": "./dist/index.cjs",
      "types": "./dist/index.d.ts"
    }
  },
  "files": ["dist/", "README.md", "LICENSE"],
  "keywords": ["relevant", "search", "terms"],
  "engines": { "node": ">=18.0.0" }
}
```

## Pre-Publish Steps
```bash
# 1. Verify package contents
npm pack --dry-run

# 2. Check bundle size
npx bundlephobia <package-name>

# 3. Test the package locally
npm link
cd ../test-project && npm link @myorg/package-name

# 4. Version bump (follows semver)
npm version patch   # Bug fixes: 1.0.0 -> 1.0.1
npm version minor   # New features: 1.0.0 -> 1.1.0
npm version major   # Breaking changes: 1.0.0 -> 2.0.0

# 5. Publish
npm publish --access public
```

## Good: Files Whitelist
```json
{
  "files": ["dist/", "README.md", "LICENSE"]
}
```

## Bad: Publishing Everything
```json
{
}
```

## Enforcement
- `npm pack --dry-run` in CI to verify package contents
- Require 2FA on npm accounts: `npm profile enable-2fa auth-and-writes`
- Use `np` or `release-it` for automated publish workflows
- Provenance: `npm publish --provenance` for supply chain transparency

FAQ

Discussion

Loading comments...

# NPM Publishing Checklist ## Rule Every npm package MUST pass this checklist before publishing: proper metadata, files field or .npmignore, prepublish build step, semantic version bump, and 2FA enabled on the npm account. ## Required package.json Fields ```json { "name": "@myorg/package-name", "version": "1.0.0", "description": "Clear, searchable description", "license": "MIT", "repository": { "type": "git", "url": "https://github.com/myorg/package-name.git" }, "main": "./dist/index.cjs", "module": "./dist/index.js", "types": "./dist/index.d.ts", "exports": { ".": { "import": "./dist/index.js", "require": "./dist/index.cjs", "types": "./dist/index.d.ts" } }, "files": ["dist/", "README.md", "LICENSE"], "keywords": ["relevant", "search", "terms"], "engines": { "node": ">=18.0.0" } } ``` ## Pre-Publish Steps ```bash # 1. Verify package contents npm pack --dry-run # 2. Check bundle size npx bundlephobia <package-name> # 3. Test the package locally npm link cd ../test-project && npm link @myorg/package-name # 4. Version bump (follows semver) npm version patch # Bug fixes: 1.0.0 -> 1.0.1 npm version minor # New features: 1.0.0 -> 1.1.0 npm version major # Breaking changes: 1.0.0 -> 2.0.0 # 5. Publish npm publish --access public ``` ## Good: Files Whitelist ```json { "files": ["dist/", "README.md", "LICENSE"] } ``` ## Bad: Publishing Everything ```json { } ``` ## Enforcement - `npm pack --dry-run` in CI to verify package contents - Require 2FA on npm accounts: `npm profile enable-2fa auth-and-writes` - Use `np` or `release-it` for automated publish workflows - Provenance: `npm publish --provenance` for supply chain transparency